forked from extern/shorewall_code
Compare commits
26 Commits
5.0.13-bas
...
4.6.0
| Author | SHA1 | Date | |
|---|---|---|---|
|
e021285199 | ||
|
|
4dad6d2bb9 | ||
|
|
b537fab05d | ||
|
|
fbfb688346 | ||
|
|
9f9d9fd8d1 | ||
|
|
ec4fc4ee8f | ||
|
|
e64a7feda2 | ||
|
|
24721e01b6 | ||
|
|
5a22b14947 | ||
|
|
df738025a3 | ||
|
|
d49d352d77 | ||
|
|
0f6bd0e2af | ||
|
|
89c5d5080b | ||
|
|
66b3d9aeb5 | ||
|
|
b088ea77cd | ||
|
|
966926fac5 | ||
|
|
dcc2fb27c5 | ||
|
|
2859b1aa6e | ||
|
|
6d3b1d80d4 | ||
|
|
d5e83a5295 | ||
|
|
7835feb45e | ||
|
|
c6565f051e | ||
|
|
c9b6d4a670 | ||
|
|
b79191caa5 | ||
|
|
22662212e3 | ||
|
|
ffc564bdf9 |
2
Shorewall-core/configure
vendored
2
Shorewall-core/configure
vendored
@@ -98,7 +98,7 @@ if [ -z "$vendor" ]; then
|
||||
eval $(cat /etc/os-release | grep ^ID=)
|
||||
|
||||
case $ID in
|
||||
fedora)
|
||||
fedora|rhel)
|
||||
vendor=redhat
|
||||
;;
|
||||
debian|ubuntu)
|
||||
|
||||
@@ -64,7 +64,7 @@ unless ( defined $vendor ) {
|
||||
|
||||
$id =~ s/ID=//;
|
||||
|
||||
if ( $id eq 'fedora' ) {
|
||||
if ( $id eq 'fedora' || $id eq 'rhel' ) {
|
||||
$vendor = 'redhat';
|
||||
} elsif ( $id eq 'opensuse' ) {
|
||||
$vendor = 'suse';
|
||||
|
||||
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
|
||||
eval $(cat /etc/os-release | grep ^ID)
|
||||
|
||||
case $ID in
|
||||
fedora)
|
||||
fedora|rhel)
|
||||
BUILD=redhat
|
||||
;;
|
||||
debian)
|
||||
|
||||
@@ -252,7 +252,15 @@ show_classifiers() {
|
||||
|
||||
if [ -n "$qdisc" ]; then
|
||||
echo Device $device:
|
||||
tc -s filter ls dev $device
|
||||
qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
|
||||
tc filter show dev $device
|
||||
tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
|
||||
if [ -n "$class" ]; then
|
||||
echo
|
||||
echo Node $class
|
||||
tc filter show dev $device parent $class
|
||||
fi
|
||||
done
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -191,7 +191,7 @@ if [ -z "$BUILD" ]; then
|
||||
eval $(cat /etc/os-release | grep ^ID=)
|
||||
|
||||
case $ID in
|
||||
fedora)
|
||||
fedora|rhel)
|
||||
BUILD=redhat
|
||||
;;
|
||||
debian|ubuntu)
|
||||
|
||||
@@ -206,7 +206,7 @@ if [ -z "$BUILD" ]; then
|
||||
eval $(cat /etc/os-release | grep ^ID)
|
||||
|
||||
case $ID in
|
||||
fedora)
|
||||
fedora|rhel)
|
||||
BUILD=redhat
|
||||
;;
|
||||
debian)
|
||||
|
||||
@@ -730,7 +730,7 @@ sub compiler {
|
||||
#
|
||||
# Do all of the zone-independent stuff (mostly /proc)
|
||||
#
|
||||
add_common_rules( $convert );
|
||||
add_common_rules( $convert, $tcrules );
|
||||
#
|
||||
# More /proc
|
||||
#
|
||||
@@ -819,7 +819,7 @@ sub compiler {
|
||||
#
|
||||
# Setup Nat
|
||||
#
|
||||
setup_nat if $family == F_IPV4;
|
||||
setup_nat;
|
||||
#
|
||||
# Setup NETMAP
|
||||
#
|
||||
|
||||
@@ -775,8 +775,8 @@ sub process_stoppedrules() {
|
||||
|
||||
sub setup_mss();
|
||||
|
||||
sub add_common_rules ( $ ) {
|
||||
my $upgrade = shift;
|
||||
sub add_common_rules ( $$ ) {
|
||||
my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
|
||||
my $interface;
|
||||
my $chainref;
|
||||
my $target;
|
||||
@@ -929,8 +929,8 @@ sub add_common_rules ( $ ) {
|
||||
|
||||
run_user_exit1 'initdone';
|
||||
|
||||
if ( $upgrade ) {
|
||||
exit 0 unless convert_blacklist;
|
||||
if ( $upgrade_blacklist ) {
|
||||
exit 0 unless convert_blacklist || $upgrade_tcrules;
|
||||
} else {
|
||||
setup_blacklist;
|
||||
}
|
||||
|
||||
@@ -338,7 +338,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
||||
minparams => 0,
|
||||
maxparams => 0 ,
|
||||
function => sub() {
|
||||
$target = 'CHECKSUM';
|
||||
$target = 'CHECKSUM --checksum-fill';
|
||||
},
|
||||
},
|
||||
|
||||
@@ -693,7 +693,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
||||
( $cmd, $designator ) = split_action( $action );
|
||||
|
||||
if ( supplied $designator ) {
|
||||
fatal_error "Invalid chain designator ( $designator )" unless $designator = $designators{$designator};
|
||||
my $temp = $designators{$designator};
|
||||
fatal_error "Invalid chain designator ( $designator )" unless $temp;
|
||||
$designator = $temp;
|
||||
}
|
||||
|
||||
( $cmd , $params ) = get_target_param1( $cmd );
|
||||
@@ -710,11 +712,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
if ( $source ne '-' ) {
|
||||
if ( $source eq $fw ) {
|
||||
fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator ne OUTPUT;
|
||||
fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
|
||||
$chain = OUTPUT;
|
||||
$source = '-';
|
||||
} elsif ( $source =~ s/^($fw):// ) {
|
||||
fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator ne OUTPUT;
|
||||
fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
|
||||
$chain = OUTPUT;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
###################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall/clear
|
||||
#
|
||||
# Add commands below that you want to be executed after Shorewall
|
||||
# has processed the 'clear' command.
|
||||
# Add commands below that you want to be executed after Shorewall has
|
||||
# processed the 'clear' command.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -3,12 +3,12 @@
|
||||
#
|
||||
# /etc/shorewall/findgw
|
||||
#
|
||||
# The code in this file is executed when Shorewall is trying to detect the
|
||||
# gateway through an interface in /etc/shorewall/providers that has GATEWAY
|
||||
# specified as 'detect'.
|
||||
# The code in this file is executed when Shorewall is trying to detect the
|
||||
# gateway through an interface in /etc/shorewall/providers that has GATEWAY
|
||||
# specified as 'detect'.
|
||||
#
|
||||
# The function should echo the IP address of the gateway if it knows what
|
||||
# it is; the name of the interface is in $1.
|
||||
# The function should echo the IP address of the gateway if it knows what
|
||||
# it is; the name of the interface is in $1.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -3,9 +3,9 @@
|
||||
#
|
||||
# /etc/shorewall/lib.private
|
||||
#
|
||||
# Use this file to declare shell functions to be called in the other
|
||||
# run-time extension scripts. The file will be copied into the generated
|
||||
# firewall script.
|
||||
# Use this file to declare shell functions to be called in the other
|
||||
# run-time extension scripts. The file will be copied into the generated
|
||||
# firewall script.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# Shorewall version 4 - Mangle File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-tcrules"
|
||||
# For information about entries in this file, type "man shorewall-mangle"
|
||||
#
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
# For usage in selecting among multiple ISPs, see
|
||||
@@ -9,7 +9,6 @@
|
||||
#
|
||||
# See http://shorewall.net/PacketMarking.html for a detailed description of
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
##################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall/refresh
|
||||
#
|
||||
# Add commands below that you want to be executed before Shorewall
|
||||
# has processed the 'refresh' command.
|
||||
# Add commands below that you want to be executed before Shorewall
|
||||
# has processed the 'refresh' command.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall/refreshed
|
||||
#
|
||||
# Add commands below that you want to be executed after Shorewall
|
||||
# has processed the 'refresh' command.
|
||||
# Add commands below that you want to be executed after Shorewall has
|
||||
# processed the 'refresh' command.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall/scfilter
|
||||
#
|
||||
# Replace the 'cat' command below to filter the output of
|
||||
# 'show connections.
|
||||
# Replace the 'cat' command below to filter the output of
|
||||
# 'show connections'.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -12,13 +12,13 @@
|
||||
STARTUP_ENABLED=No
|
||||
|
||||
###############################################################################
|
||||
# V E R B O S I T Y
|
||||
# V E R B O S I T Y
|
||||
###############################################################################
|
||||
|
||||
VERBOSITY=1
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
|
||||
BLACKLIST_LOG_LEVEL=
|
||||
@@ -100,7 +100,7 @@ QUEUE_DEFAULT=none
|
||||
REJECT_DEFAULT=Reject
|
||||
|
||||
###############################################################################
|
||||
# R S H / R C P C O M M A N D S
|
||||
# R S H / R C P C O M M A N D S
|
||||
###############################################################################
|
||||
|
||||
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||
@@ -271,8 +271,8 @@ MASK_BITS=
|
||||
ZONE_BITS=0
|
||||
|
||||
################################################################################
|
||||
# L E G A C Y O P T I O N
|
||||
# D O N O T D E L E T E O R A L T E R
|
||||
# L E G A C Y O P T I O N
|
||||
# D O N O T D E L E T E O R A L T E R
|
||||
################################################################################
|
||||
|
||||
IPSECFILE=zones
|
||||
|
||||
@@ -7,4 +7,4 @@
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS
|
||||
# DMAX:UMAX
|
||||
# DMAX:UMAX
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall/tcclear
|
||||
#
|
||||
# Add commands below that you want to be executed before Shorewall
|
||||
# clears the traffic shaping configuration.
|
||||
# Add commands below that you want to be executed before Shorewall clears
|
||||
# the traffic shaping configuration.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -6,5 +6,5 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
########################################################################################################
|
||||
#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH PRIORITY
|
||||
#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH PRIORITY
|
||||
#CLASS PORT(S) PORT(S)
|
||||
|
||||
@@ -216,7 +216,7 @@ if [ -z "$BUILD" ]; then
|
||||
eval $(cat /etc/os-release | grep ^ID)
|
||||
|
||||
case $ID in
|
||||
fedora)
|
||||
fedora|rhel)
|
||||
BUILD=redhat
|
||||
;;
|
||||
debian)
|
||||
|
||||
@@ -143,7 +143,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>(Formerly called SUBNET) -
|
||||
<term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
|
||||
-
|
||||
{<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
|
||||
|
||||
|
||||
@@ -136,6 +136,80 @@
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>RESTRICTIONS</title>
|
||||
|
||||
<para>DNAT rules always preempt one-to-one NAT rules. This has subtile
|
||||
consequences when there are sub-zones on an
|
||||
<replaceable>interface</replaceable>. Consider the following:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
smc:net ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
|
||||
loc eth1 tcpflags,nosmurfs,routefilter,logmartians</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE HOST(S) OPTIONS
|
||||
smc eth0:10.1.10.0/24</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
10.1.10.100 eth0 172.20.1.100
|
||||
</programlisting>
|
||||
|
||||
<para>Note that the EXTERNAL address is in the <emphasis
|
||||
role="bold">smc</emphasis> zone.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
...
|
||||
DNAT net loc:172.20.1.4 tcp 80</programlisting>
|
||||
|
||||
<para>For the one-to-one NAT to work correctly in this configuration, one
|
||||
of two approaches can be taken:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Define a CONTINUE policy with <emphasis
|
||||
role="bold">smc</emphasis> as the SOURCE zone (preferred):</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<emphasis role="bold">smc $FW CONTINUE</emphasis>
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
# THE FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info
|
||||
</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Set IMPLICIT_CONTINUE=Yes in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
|
||||
@@ -991,7 +991,10 @@
|
||||
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">DNAT</emphasis> or <emphasis
|
||||
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
||||
addresses in the range in a round-robin fashion.</para>
|
||||
addresses in the range in a round-robin fashion. <emphasis
|
||||
role="bold">DNAT</emphasis> and <emphasis
|
||||
role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
|
||||
ranges.</para>
|
||||
|
||||
<para>If you kernel and iptables have ipset match support then you
|
||||
may give the name of an ipset prefaced by "+". The ipset name may be
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
# This action A_ACCEPTs needed ICMP types
|
||||
#
|
||||
###############################################################################
|
||||
?format 2
|
||||
#TARGET SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
?comment Needed ICMP types (RFC4890)
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
?format 2
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Reject 'auth'
|
||||
|
||||
@@ -14,6 +14,7 @@
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
?format 2
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' -- REJECT
|
||||
|
||||
@@ -7,7 +7,6 @@
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional information.
|
||||
#
|
||||
###############################################################################
|
||||
########################################################################################
|
||||
#ACTION OPTIONS COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
|
||||
@@ -6,6 +6,6 @@
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
###########################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
########################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall6/clear
|
||||
#
|
||||
# Add commands below that you want to be executed after Shorewall6
|
||||
# has processed the 'clear' command.
|
||||
# Add commands below that you want to be executed after Shorewall6 has
|
||||
# processed the 'clear' command.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -3,9 +3,9 @@
|
||||
#
|
||||
# /etc/shorewall6/lib.private
|
||||
#
|
||||
# Use this file to declare shell functions to be called in the other
|
||||
# run-time extension scripts. The file will be copied into the generated
|
||||
# firewall script.
|
||||
# Use this file to declare shell functions to be called in the other
|
||||
# run-time extension scripts. The file will be copied into the generated
|
||||
# firewall script.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# Shorewall6 version 4 - Mangle File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall6-tcrules"
|
||||
# For information about entries in this file, type "man shorewall6-mangle"
|
||||
#
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
# For usage in selecting among multiple ISPs, see
|
||||
@@ -9,6 +9,6 @@
|
||||
#
|
||||
# See http://shorewall.net/PacketMarking.html for a detailed description of
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
###########################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
|
||||
############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall6/refresh
|
||||
#
|
||||
# Add commands below that you want to be executed before Shorewall6
|
||||
# has processed the 'refresh' command.
|
||||
# Add commands below that you want to be executed before Shorewall6 has
|
||||
# processed the 'refresh' command.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall6/refreshed
|
||||
#
|
||||
# Add commands below that you want to be executed after Shorewall6
|
||||
# has processed the 'refresh' command.
|
||||
# Add commands below that you want to be executed after Shorewall6 has
|
||||
# processed the 'refresh' command.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall/scfilter
|
||||
#
|
||||
# Replace the 'cat' command below to filter the output of
|
||||
# 'show connections.
|
||||
# Replace the 'cat' command below to filter the output of
|
||||
# 'show connections'.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
STARTUP_ENABLED=No
|
||||
|
||||
###############################################################################
|
||||
# V E R B O S I T Y
|
||||
# V E R B O S I T Y
|
||||
###############################################################################
|
||||
|
||||
VERBOSITY=1
|
||||
@@ -97,7 +97,7 @@ QUEUE_DEFAULT=none
|
||||
REJECT_DEFAULT=Reject
|
||||
|
||||
###############################################################################
|
||||
# R S H / R C P C O M M A N D S
|
||||
# R S H / R C P C O M M A N D S
|
||||
###############################################################################
|
||||
|
||||
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
#
|
||||
# /etc/shorewall6/tcclear
|
||||
#
|
||||
# Add commands below that you want to be executed before Shorewall6
|
||||
# clears the traffic shaping configuration.
|
||||
# Add commands below that you want to be executed before Shorewall6 clears
|
||||
# the traffic shaping configuration.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
||||
@@ -6,5 +6,5 @@
|
||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
||||
#
|
||||
########################################################################################################
|
||||
#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH PRIORITY
|
||||
#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH PRIORITY
|
||||
#CLASS PORT(S) PORT(S)
|
||||
|
||||
@@ -530,7 +530,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 8:</term>
|
||||
<term>Example 2:</term>
|
||||
|
||||
<listitem>
|
||||
<para>Your sit1 interface has two public IP addresses:
|
||||
|
||||
@@ -934,6 +934,17 @@
|
||||
<para>Restriction: MAC addresses are not allowed (this is a
|
||||
Netfilter restriction).</para>
|
||||
|
||||
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
||||
you may specify a range of IP addresses using the syntax
|
||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">DNAT</emphasis> or <emphasis
|
||||
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
||||
addresses in the range in a round-robin fashion. <emphasis
|
||||
role="bold">DNAT</emphasis> and <emphasis
|
||||
role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
|
||||
ranges.</para>
|
||||
|
||||
<para>If you kernel and ip6tables have ipset match support then you
|
||||
may give the name of an ipset prefaced by "+". The ipset name may be
|
||||
optionally followed by a number from 1 to 6 enclosed in square
|
||||
|
||||
@@ -49,8 +49,7 @@
|
||||
support is based on <ulink
|
||||
url="http://ipset.netfilter.org/">ipset</ulink>. Most current
|
||||
distributions have ipset, but you may need to install the <ulink
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.
|
||||
</para>
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="xtables-addons">
|
||||
@@ -211,9 +210,9 @@
|
||||
net ipv4
|
||||
rsyncok:loc ipv4 <emphasis role="bold">dynamic_shared</emphasis></programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth0 - …
|
||||
loc eth1 - …</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth0 …
|
||||
loc eth1 …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
@@ -308,9 +307,8 @@ rsyncok:
|
||||
loc ipv4
|
||||
webok:loc ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth0 - …
|
||||
</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth0 …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
|
||||
81
docs/FAQ.xml
81
docs/FAQ.xml
@@ -516,8 +516,8 @@ DNAT net net:66.249.93.111:993 tcp 80 - 2
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>, specify the
|
||||
<emphasis role="bold">routeback</emphasis> option on
|
||||
eth0:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect <emphasis role="bold">routeback</emphasis></programlisting></para>
|
||||
eth0:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 <emphasis role="bold">routeback</emphasis></programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
|
||||
eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlisting></para>
|
||||
@@ -700,15 +700,15 @@ DNAT net net:192.168.4.22 tcp 80,443 - <
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/masq</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S)
|
||||
<emphasis role="bold">eth1:192.168.1.5 eth1 192.168.1.254 tcp www</emphasis></programlisting>
|
||||
<emphasis role="bold">eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp www</emphasis></programlisting>
|
||||
|
||||
<para>Note: The technique described here is known as
|
||||
<firstterm>hairpinning NAT</firstterm> and is described in section 6
|
||||
@@ -718,7 +718,7 @@ loc eth1 detect <emphasis role="bold">routeback</emphasis>
|
||||
source:</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S)
|
||||
eth1:192.168.1.5 eth1 <emphasis role="bold">130.151.100.69</emphasis> tcp www</programlisting>
|
||||
eth1:192.168.1.5 192.168.1.0/24 <emphasis role="bold">130.151.100.69</emphasis> tcp www</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -746,6 +746,12 @@ DNAT loc loc:192.168.1.5 tcp www - <emph
|
||||
DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
|
||||
time that you get a new IP address.</para>
|
||||
|
||||
<note>
|
||||
<para>If your local interface is a bridge, see <link
|
||||
linkend="faq2e">FAQ 2e</link> for additional configuration
|
||||
steps.</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>For optional interfaces, use the function <emphasis
|
||||
role="bold">find_first_interface_address_if_any()</emphasis>
|
||||
@@ -815,8 +821,8 @@ DNAT loc loc:192.168.1.5 tcp www - <emph
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
dmz eth2 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/masq</filename>:</para>
|
||||
|
||||
@@ -915,6 +921,59 @@ DNAT loc dmz:192.168.2.4 tcp 80 - <emph
|
||||
INTERFACES column of each entry in <ulink
|
||||
url="manpages/shorewall-nat.html">/etc/shorewall/nat</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq2e">
|
||||
<title>(FAQ 2e) I have the situation in FAQ 2 but my local interface
|
||||
is a bridge and the solution in FAQ 2 doesn't work</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Assume that the bridge
|
||||
is br0 and that eth2 is the bridge port that connects to the LAN
|
||||
containing 192.168.1.5</para>
|
||||
|
||||
<para>In addition to the steps in FAQ 2 (replacing eth1 with br0), you
|
||||
also need to:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Set the <firstterm>hairpin</firstterm> option on
|
||||
eth2.</para>
|
||||
|
||||
<programlisting>brctl hairpin br0 eth2 on</programlisting>
|
||||
|
||||
<para>On Debian and derivitives, you can place that command in
|
||||
/etc/network/interfaces as a post-up command:</para>
|
||||
|
||||
<programlisting>auto br0
|
||||
iface br0 inet static
|
||||
bridge_ports eth2
|
||||
bridge_fd 0
|
||||
bridge_maxwait 0
|
||||
address 192.168.1.1
|
||||
netmask 255.255.255.0
|
||||
<emphasis role="bold">post-up /sbin/brctl hairpin br0 eth2 on</emphasis></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Install ebtables if it is not already installed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Be sure that all traffic going out of eth2 has the correct
|
||||
MAC address.</para>
|
||||
|
||||
<programlisting>ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source <emphasis>br0-MAC-address</emphasis> </programlisting>
|
||||
|
||||
<para>where br0-MAC-address is the MAC address of br0.</para>
|
||||
|
||||
<para>Here's a working example of /etc/shorewall/start that
|
||||
executes the above command.</para>
|
||||
|
||||
<programlisting>if [ $(ebtables -t nat -L POSTROUTING | wc -l) -lt 4 ]; then
|
||||
<emphasis role="bold">ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source 0:19:21:d0:61:65</emphasis>
|
||||
fi</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@@ -940,6 +999,12 @@ DNAT loc dmz:192.168.2.4 tcp 80 - <emph
|
||||
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
to implement blacklisting by destination IP address.</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>Beginning with Shorewall 4.4.26, you can use <ulink
|
||||
url="manpages/shorewall-blrules.html">/etc/shorewall/blrules</ulink>
|
||||
to implement arbitrary blacklist rules.</para>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
<section id="faq84">
|
||||
|
||||
@@ -86,8 +86,8 @@ vpn ipv4</programlisting>
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
||||
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tun0 10.255.255.255</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tun0</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
@@ -99,8 +99,8 @@ generic:47 net 134.28.54.2</programlisting>
|
||||
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
|
||||
be accepted to/from the remote gateway.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tun0 192.168.1.255</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tun0</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
|
||||
@@ -103,8 +103,8 @@ vpn ipv4</programlisting>
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
||||
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tosysb 10.255.255.255</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tosysb</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
|
||||
@@ -238,7 +238,7 @@
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png"/>
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
|
||||
communicate with systems in the 10.0.0.0/8 network. We assume that on both
|
||||
@@ -481,7 +481,7 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
|
||||
when you travel and you want to be able to establish a secure connection
|
||||
back to your local network.</para>
|
||||
|
||||
<graphic fileref="images/Mobile.png"/>
|
||||
<graphic fileref="images/Mobile.png" />
|
||||
|
||||
<example id="roadWarrior">
|
||||
<title>Road Warrior VPN</title>
|
||||
@@ -734,9 +734,9 @@ loc ipv4
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter
|
||||
loc eth1 192.168.1.255
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter
|
||||
loc eth1 -
|
||||
l2tp ppp+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
@@ -827,9 +827,9 @@ HTTPS(ACCEPT) l2tp $FW
|
||||
hosts in that network. In that case, IPSEC transport mode is an
|
||||
appropriate solution.</para>
|
||||
|
||||
<para><graphic fileref="images/TransportMode.png"/>Here's an example using
|
||||
the ipsec-tools package. The files shown are from host 192.168.20.10; the
|
||||
configuration of the other nodes is similar.</para>
|
||||
<para><graphic fileref="images/TransportMode.png" />Here's an example
|
||||
using the ipsec-tools package. The files shown are from host
|
||||
192.168.20.10; the configuration of the other nodes is similar.</para>
|
||||
|
||||
<blockquote>
|
||||
<para><filename>/etc/racoon/racoon.conf</filename>:</para>
|
||||
@@ -889,8 +889,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter,dhcp,tcpflags
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter,dhcp,tcpflags
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
@@ -200,12 +200,12 @@ vpn eth0:192.168.1.0/24</programlisting>
|
||||
|
||||
<para>/etc/shorewall/masq - System A</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||
eth0:!10.0.0.0/8 192.168.1.0/24</programlisting>
|
||||
|
||||
<para>/etc/shorewall/masq - System B</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||
eth0:!192.168.1.0/24 10.0.0.0/8</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -425,8 +425,8 @@ ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3</programlisting>
|
||||
Shorewall will issue warnings to that effect. These warnings may be safely
|
||||
ignored. FreeS/Wan may now be configured to have three different Road
|
||||
Warrior connections with the choice of connection being based on X-509
|
||||
certificates or some other means. Each of these connections will utilize
|
||||
a different updown script that adds the remote station to the appropriate
|
||||
certificates or some other means. Each of these connections will utilize a
|
||||
different updown script that adds the remote station to the appropriate
|
||||
zone when the connection comes up and that deletes the remote station when
|
||||
the connection comes down. For example, when 134.28.54.2 connects for the
|
||||
vpn2 zone the <quote>up</quote> part of the script will issue the
|
||||
|
||||
@@ -181,10 +181,10 @@ dmz ipv4</programlisting>
|
||||
file. In the three-interface sample, the three zones are defined using
|
||||
that file as follows:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,routefilter
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 dhcp,routefilter
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
|
||||
<para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
|
||||
hosts interfacing to the firewall through eth0, the
|
||||
@@ -201,10 +201,10 @@ dmz eth2 detect</programlisting>
|
||||
file or you may use the nets= option in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,routefilter,nets=(!192.168.0.0/23)
|
||||
loc eth1 detect nets=(192.168.0.0/24)
|
||||
dmz eth2 detect nets=(192.168.1.0/24)</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 dhcp,routefilter,nets=(!192.168.0.0/23)
|
||||
loc eth1 nets=(192.168.0.0/24)
|
||||
dmz eth2 nets=(192.168.1.0/24)</programlisting>
|
||||
|
||||
<para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
|
||||
hosts interfacing to the firewall through eth0 <emphasis>except</emphasis>
|
||||
|
||||
@@ -68,10 +68,10 @@
|
||||
optional interfaces for the 'net' zone in
|
||||
<filename>/etc/shorewall/interfaces</filename>.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect optional,…
|
||||
net wlan0 detect optional,…
|
||||
net ppp0 - optional,…</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 optional,…
|
||||
net wlan0 optional,…
|
||||
net ppp0 optional,…</programlisting>
|
||||
|
||||
<para>With this configuration, access to the 'net' zone is possible
|
||||
regardless of which of the interfaces is being used.</para>
|
||||
|
||||
@@ -172,12 +172,12 @@ MACLIST_LOG_LEVEL=info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF 192.168.1.255 dhcp
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $EXT_IF dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF dhcp
|
||||
dmz $DMZ_IF -
|
||||
vpn tun+ -
|
||||
Wifi $WIFI_IF - maclist,dhcp
|
||||
Wifi $WIFI_IF maclist,dhcp
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>/etc/shorewall/maclist:</para>
|
||||
|
||||
@@ -832,9 +832,9 @@ ISP2 2 2 main eth1 130.252.99.254 track,ba
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect …
|
||||
net eth1 detect …</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 …
|
||||
net eth1 …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
@@ -1991,9 +1991,9 @@ ComcastC 2 - - eth0 detect loose,fallback,load=0.33
|
||||
<para>You specify the <option>optional</option> option in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect <emphasis role="bold">optional</emphasis>
|
||||
net eth1 detect <emphasis role="bold">optional</emphasis></programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 <emphasis role="bold">optional</emphasis>
|
||||
net eth1 <emphasis role="bold">optional</emphasis></programlisting>
|
||||
|
||||
<section id="lsm">
|
||||
<title>Link Status Monitor (LSM)</title>
|
||||
@@ -2562,11 +2562,11 @@ kvm all ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting></para>
|
||||
|
||||
<para>interfaces:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
|
||||
<para>interfaces:<programlisting>#ZONE INTERFACE PTIONS GATEWAY
|
||||
#
|
||||
net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
||||
net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
||||
kvm br0 detect routeback #Virtual Machines</programlisting><note>
|
||||
net eth0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
||||
net wlan0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
||||
kvm br0 routeback #Virtual Machines</programlisting><note>
|
||||
<para><filename class="devicefile">wlan0</filename> is the wireless
|
||||
adapter in the notebook. Used when the laptop is in our home but not
|
||||
connected to the wired network.</para>
|
||||
|
||||
@@ -209,7 +209,7 @@ loc1:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
@@ -247,8 +247,8 @@ loc2 ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
- eth1 192.168.1.255
|
||||
<programlisting>#ZONE INTERFACE
|
||||
- eth1
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
@@ -287,8 +287,8 @@ loc1:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
loc eth1 -</programlisting>
|
||||
<programlisting>#ZONE INTERFACE
|
||||
loc eth1</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS
|
||||
loc1 eth1:192.168.1.8/29 broadcast</programlisting></para>
|
||||
|
||||
@@ -130,7 +130,7 @@ vpn ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
A:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tun0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -198,7 +198,7 @@ verb 5</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
B:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tun0 </programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -269,7 +269,7 @@ road ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
A:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
road tun+</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -355,7 +355,7 @@ home ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
B:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
home tun0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -586,14 +586,14 @@ net ipv4 #Internet
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc INT_IF detect dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
|
||||
net COM_IF detect dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
|
||||
<emphasis role="bold">vpn TUN_IF+ detect physical=tun+,routeback</emphasis>
|
||||
- sit1 - ignore
|
||||
<emphasis role="bold">- mac - ignore</emphasis>
|
||||
- EXT_IF - ignore
|
||||
- lo - ignore</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc INT_IF dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
|
||||
net COM_IF dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
|
||||
<emphasis role="bold">vpn TUN_IF+ physical=tun+,routeback</emphasis>
|
||||
- sit1 ignore
|
||||
<emphasis role="bold">- mac ignore</emphasis>
|
||||
- EXT_IF ignore
|
||||
- lo ignore</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
@@ -617,10 +617,10 @@ rest ipv6</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net sit1 detect tcpflags,forward=1,nosmurfs,routeback
|
||||
loc eth4 detect tcpflags,forward=1
|
||||
<emphasis role="bold">loc mac detect tcpflags,forward=1</emphasis>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net sit1 tcpflags,forward=1,nosmurfs,routeback
|
||||
loc eth4 tcpflags,forward=1
|
||||
<emphasis role="bold">loc mac tcpflags,forward=1</emphasis>
|
||||
rest eth+</programlisting>
|
||||
|
||||
<para>Note that in the IPv6 firewall configuration, the remove Macbook
|
||||
|
||||
@@ -149,9 +149,9 @@ vz ipv4</programlisting>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 - proxyarp=1
|
||||
vz venet0 - <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0 proxyarp=1
|
||||
vz venet0 <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@@ -159,8 +159,8 @@ vz venet0 - <emphasis role="bold">routeback,arp_f
|
||||
|
||||
<para>If you run Shorewall Multi-ISP support on the host, you should
|
||||
arrange for traffic to your containers to use the main routing table. In
|
||||
the configuration shown here, this entry in /etc/shorewall/rtrules
|
||||
is appropriate:</para>
|
||||
the configuration shown here, this entry in /etc/shorewall/rtrules is
|
||||
appropriate:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
- 206.124.146.178 main 1000</programlisting>
|
||||
@@ -472,11 +472,11 @@ INT_IF=eth1
|
||||
<emphasis role="bold">VPS_IF=venet0</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
|
||||
role="bold">proxyarp=1</emphasis>
|
||||
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
<emphasis role="bold">dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
|
||||
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
<emphasis role="bold">dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
|
||||
...</programlisting>This is a multi-ISP configuration so entries are required
|
||||
in <filename>/etc/shorewall/rtrules</filename>:</para>
|
||||
|
||||
@@ -508,8 +508,8 @@ net ipv4</programlisting>
|
||||
|
||||
<para>/etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net <emphasis role="bold">venet0 </emphasis> detect dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net <emphasis role="bold">venet0 </emphasis> dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@@ -783,10 +783,10 @@ INT_IF=eth1
|
||||
<emphasis role="bold">VPS_IF=vzbr0</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
|
||||
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
|
||||
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
|
||||
...</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp:</filename></para>
|
||||
@@ -820,8 +820,8 @@ net ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net <emphasis role="bold">eth0 </emphasis> detect dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net <emphasis role="bold">eth0 </emphasis> dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
@@ -147,16 +147,16 @@
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 4.5</title>
|
||||
<title>Shorewall 4.5/4.6</title>
|
||||
|
||||
<para>Shorewall 4.5 adds an additional <emphasis
|
||||
<para>Shorewall 4.5 added an additional <emphasis
|
||||
role="bold">Shorewall-core</emphasis> package. This package contains the
|
||||
core Shorewall shell libraries that are required by the other
|
||||
packages.</para>
|
||||
</section>
|
||||
|
||||
<section id="Prereqs">
|
||||
<title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5
|
||||
<title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5/4.6
|
||||
Perl-based Compiler</title>
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
@@ -257,8 +257,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||
</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -327,8 +327,8 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||
</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth2 detect <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth2 <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -402,8 +402,8 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- lo - -</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- lo -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/providers</filename>:</para>
|
||||
|
||||
|
||||
@@ -298,8 +298,8 @@ loc ipv4</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 - <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
|
||||
ACCEPT rules for the traffic that you want to permit.</para>
|
||||
@@ -320,7 +320,7 @@ loc2 ipv4</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- eth1 - </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
@@ -108,9 +108,9 @@
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect ...
|
||||
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 ...
|
||||
loc <emphasis role="bold">br0</emphasis> <emphasis
|
||||
role="bold">routeback</emphasis>,...</programlisting>
|
||||
|
||||
<para>So the key points here are:</para>
|
||||
@@ -140,9 +140,9 @@ loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <
|
||||
|
||||
<para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
|
||||
should also specify the <emphasis role="bold">bridge</emphasis>
|
||||
option:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect ...
|
||||
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
||||
option:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 ...
|
||||
loc <emphasis role="bold">br0</emphasis> <emphasis
|
||||
role="bold">routeback,bridge</emphasis>,...</programlisting></para>
|
||||
|
||||
<para>Your entry in <filename>/etc/shorewall/masq</filename> should be
|
||||
|
||||
@@ -93,9 +93,8 @@ forward_chain_name = forwardUPnP</programlisting>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth1 detect dhcp,routefilter,tcpflags,<emphasis
|
||||
role="bold">upnp</emphasis></programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth1 dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>
|
||||
|
||||
<para>If your loc->fw policy is not ACCEPT then you need this
|
||||
rule:</para>
|
||||
|
||||
@@ -203,8 +203,8 @@ loc ipv4
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
||||
net eth0 - tcpflags,routefilter
|
||||
<programlisting>#ZONE INTERFACE OPTION
|
||||
net eth0 tcpflags,routefilter
|
||||
loc eth1 -
|
||||
<emphasis role="bold">rem ppp0 -</emphasis></programlisting>
|
||||
</section>
|
||||
@@ -259,8 +259,8 @@ rem2 ipv4 #Remote LAN 2</emphasis></programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
||||
net eth0 - tcpflags,routefilter
|
||||
<programlisting>#ZONE INTERFACE OPTION
|
||||
net eth0 tcpflags,routefilter
|
||||
loc eth1 -
|
||||
<emphasis role="bold">- tun+ -</emphasis></programlisting>
|
||||
|
||||
|
||||
@@ -580,16 +580,15 @@ OMAK=<IP address at our second home>
|
||||
|
||||
<programlisting>echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename> (don't specify
|
||||
the BROADCAST addresses if you are using Shorewall-perl):</para>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net ${EXT_IF} detect dhcp,logmartians=1,blacklist
|
||||
dmz $DMZ_IF detect logmartians=1
|
||||
loc $INT_IF detect dhcp,logmartians=1,routeback,bridge
|
||||
loc $TEST_IF detect optional
|
||||
loc $TEST1_IF detect optional
|
||||
wifi $WIFI_IF detect dhcp,maclist,mss=1400
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net ${EXT_IF} dhcp,logmartians=1,blacklist
|
||||
dmz $DMZ_IF logmartians=1
|
||||
loc $INT_IF dhcp,logmartians=1,routeback,bridge
|
||||
loc $TEST_IF optional
|
||||
loc $TEST1_IF optional
|
||||
wifi $WIFI_IF dhcp,maclist,mss=1400
|
||||
vpn tun+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
@@ -624,7 +623,7 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98
|
||||
|
||||
COMMENT Masquerade Local Network
|
||||
|
||||
$EXT_IF $INT_IF 206.124.146.179
|
||||
$EXT_IF 192.168.1.0/24 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
@@ -450,9 +450,9 @@ all all ACCEPT
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc xenbr0 192.168.1.255 dhcp,routeback
|
||||
dmz xenbr1 - routeback
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc xenbr0 dhcp,routeback
|
||||
dmz xenbr1 routeback
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
@@ -601,11 +601,11 @@ OMAK=<IP address at our second home>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,logmartians,blacklist,tcpflags,nosmurfs
|
||||
dmz $DMZ_IF 192.168.0.255 logmartians
|
||||
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
|
||||
wifi $WIFI_IF 192.168.3.255 dhcp,maclist
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $EXT_IF dhcp,logmartians,blacklist,tcpflags,nosmurfs
|
||||
dmz $DMZ_IF logmartians
|
||||
loc $INT_IF dhcp,routeback,logmartians
|
||||
wifi $WIFI_IF dhcp,maclist
|
||||
vpn tun+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
|
||||
@@ -596,8 +596,8 @@ all all REJECT info
|
||||
is connected to <filename class="devicefile">eth0</filename> and the
|
||||
switch to <filename class="devicefile">eth1</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 detect bridge
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
net br0:eth0
|
||||
loc br0:eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
@@ -645,9 +645,9 @@ br0 192.168.1.0/24 routeback
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 - bridge
|
||||
world br1 - bridge
|
||||
<programlisting> #ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
world br1 bridge
|
||||
z1 br0:p+
|
||||
z2 br1:p+</programlisting>
|
||||
|
||||
@@ -657,11 +657,11 @@ br0 192.168.1.0/24 routeback
|
||||
configuration may be defined using the following in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 - bridge
|
||||
world br1 - bridge
|
||||
z1 br0:x+ - physical=p+
|
||||
z2 br1:y+ - physical=p+</programlisting>
|
||||
<programlisting> #ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
world br1 bridge
|
||||
z1 br0:x+ physical=p+
|
||||
z2 br1:y+ physical=p+</programlisting>
|
||||
|
||||
<para>In this configuration, 'x+' is the logical name for ports p+ on
|
||||
bridge br0 while 'y+' is the logical name for ports p+ on bridge
|
||||
@@ -710,11 +710,11 @@ loc ipv4</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
|
||||
follows:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
pub br0 detect routefilter,bridge
|
||||
follows:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
pub br0 routefilter,bridge
|
||||
net br0:eth0
|
||||
dmz br0:eth2
|
||||
loc eth1 detect</programlisting></para>
|
||||
loc eth1</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -887,7 +887,7 @@ col ipv4 nomark</emphasis></programlisting>
|
||||
role="bold">loc</emphasis> spelled backward.</para>
|
||||
</note>
|
||||
|
||||
<programlisting>#ZONE INTERFACES BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACES OPTIONS
|
||||
net eth0 ...
|
||||
- br0 ...
|
||||
zone1 br0:eth1 ...
|
||||
|
||||
@@ -416,10 +416,10 @@ all all REJECT info</programlisting>
|
||||
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
|
||||
</ulink>file, that file would might contain:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
|
||||
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
|
||||
in the /etc/shorewall/interfaces file.</para>
|
||||
@@ -435,10 +435,10 @@ dmz eth2 detect</programlisting>
|
||||
<example id="multi">
|
||||
<title>Multiple Interfaces to a Zone</title>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect
|
||||
loc eth1 detect
|
||||
loc eth2 detect</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0
|
||||
loc eth1
|
||||
loc eth2</programlisting>
|
||||
</example>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
@@ -1816,22 +1816,10 @@ ACCEPT net $FW tcp ssh #SSH to the
|
||||
<para><filename>/etc/shorewall/interfaces</filename> (The
|
||||
<quote>options</quote> will be very site-specific).</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
|
||||
<para>The setup described here requires that your network interfaces be
|
||||
brought up before Shorewall can start. This opens a short window during
|
||||
which you have no firewall protection. If you replace
|
||||
<quote>detect</quote> with the actual broadcast addresses in the entries
|
||||
above, you can bring up Shorewall before you bring up your network
|
||||
interfaces.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 192.0.2.255
|
||||
loc eth1 192.168.201.7
|
||||
dmz eth2 192.168.202.7</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The currently-supported Shorewall <ulink
|
||||
url="ReleaseModel.html">major release</ulink> is 4.5.</para>
|
||||
url="ReleaseModel.html">major release</ulink>s are 4.5 and 4.6.</para>
|
||||
|
||||
<note>
|
||||
<para>Shorewall versions earlier than 4.5.0 are no longer supported;
|
||||
@@ -60,7 +60,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>The <ulink url="FAQ.htm">FAQ</ulink> has solutions to more than
|
||||
90 common problems.</para>
|
||||
100 common problems.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -1802,7 +1802,7 @@ qt ip link set dev ifb0 up</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- ifb0</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
|
||||
|
||||
@@ -1229,8 +1229,8 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
network interface. If the wireless interface is <filename
|
||||
class="devicefile">wlan0</filename>, the entry might look like:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc wlan0 detect maclist</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc wlan0 maclist</programlisting>
|
||||
|
||||
<para>As shown in the above entry, I recommend using the <ulink
|
||||
url="MAC_Validation.html">maclist option</ulink> for the wireless
|
||||
|
||||
@@ -78,6 +78,166 @@
|
||||
zones.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 4.6.0</title>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 4.6.0, ection headers are now preceded
|
||||
by '?' (e.g., '?SECTION ...'). If your configuration contains any bare
|
||||
'SECTION' entries, the following warning is issued: </para>
|
||||
|
||||
<programlisting>WARNING: 'SECTION' is deprecated in favor of '?SECTION' - consider running 'shorewall update -D' ...</programlisting>
|
||||
|
||||
<para>As mentioned in the message, running 'shorewall[6] update -D'
|
||||
will eliminate the warning.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 4.6.0, the 'tcrules' file has been
|
||||
superceded by the 'mangle' file. Existing 'tcrules' files will still
|
||||
be processed, with the restriction that TPROXY is no longer supported
|
||||
in FORMAT 1. If your 'tcrules' file has non-commentary entries, the
|
||||
following warning message is issued:</para>
|
||||
|
||||
<programlisting>WARNING: Non-empty tcrules file (...); consider running 'shorewall update -t'</programlisting>
|
||||
|
||||
<para>See <ulink url="manpages/shorewall.html">shorewall</ulink>(8)
|
||||
for limitations of 'update -t'.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The default value LOAD_HELPERS_ONLY is now 'Yes'.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para> Beginning with Shorewall 4.5.0, FORMAT-1 actions and macros are
|
||||
deprecated and a warning will be issued for each FORMAT-1 action or
|
||||
macro found.</para>
|
||||
|
||||
<programlisting>WARNING: FORMAT-1 actions are deprecated and support will be dropped in a future release.</programlisting>
|
||||
|
||||
<programlisting>WARNING: FORMAT-1 macros are deprecated and support will be dropped in a future release.</programlisting>
|
||||
|
||||
<para> To eliminate these warnings, add the following line before the
|
||||
first rule in the action or macro: </para>
|
||||
|
||||
<programlisting>?FORMAT 2</programlisting>
|
||||
|
||||
<para>and adjust the columns appropriately. FORMAT-1 actions have the
|
||||
following columns:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>TARGET</member>
|
||||
|
||||
<member>SOURCE</member>
|
||||
|
||||
<member>DEST</member>
|
||||
|
||||
<member>PROTO</member>
|
||||
|
||||
<member>DEST PORT(S)</member>
|
||||
|
||||
<member>SOURCE PORT(S)</member>
|
||||
|
||||
<member>RATE/LIMIT</member>
|
||||
|
||||
<member>USER/GROUP</member>
|
||||
|
||||
<member>MARK</member>
|
||||
</simplelist>
|
||||
|
||||
<para>while FORMAT-2 actions have these columns:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>TARGET</member>
|
||||
|
||||
<member>SOURCE</member>
|
||||
|
||||
<member>DEST</member>
|
||||
|
||||
<member>PROTO</member>
|
||||
|
||||
<member>DEST PORT(S)</member>
|
||||
|
||||
<member>SOURCE PORT(S)</member>
|
||||
|
||||
<member>ORIGINAL DEST</member>
|
||||
|
||||
<member>RATE/LIMIT</member>
|
||||
|
||||
<member>USER/GROUP</member>
|
||||
|
||||
<member>MARK</member>
|
||||
|
||||
<member>CONLIMIT</member>
|
||||
|
||||
<member>TIME</member>
|
||||
|
||||
<member>HEADERS (Used in IPv6 only)</member>
|
||||
|
||||
<member>CONDITION</member>
|
||||
|
||||
<member>HELPER</member>
|
||||
</simplelist>
|
||||
|
||||
<para>FORMAT-1 macros have the following columns:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>TARGET</member>
|
||||
|
||||
<member>SOURCE</member>
|
||||
|
||||
<member>DEST</member>
|
||||
|
||||
<member>PROTO</member>
|
||||
|
||||
<member>DEST PORT(S)</member>
|
||||
|
||||
<member>SOURCE PORT(S)</member>
|
||||
|
||||
<member>RATE/LIMIT</member>
|
||||
|
||||
<member>USER/GROUP</member>
|
||||
</simplelist>
|
||||
|
||||
<para>while FORMAT-2 macros have the following columns:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>TARGET</member>
|
||||
|
||||
<member>SOURCE</member>
|
||||
|
||||
<member>DEST</member>
|
||||
|
||||
<member>PROTO</member>
|
||||
|
||||
<member>DEST PORT(S)</member>
|
||||
|
||||
<member>SOURCE PORT(S)</member>
|
||||
|
||||
<member>ORIGINAL DEST</member>
|
||||
|
||||
<member>RATE/LIMIT</member>
|
||||
|
||||
<member>USER/GROUP</member>
|
||||
|
||||
<member>MARK</member>
|
||||
|
||||
<member>CONLIMIT</member>
|
||||
|
||||
<member>TIME</member>
|
||||
|
||||
<member>HEADERS (Used in IPv6 only)</member>
|
||||
|
||||
<member>CONDITION</member>
|
||||
|
||||
<member>HELPER</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Versions >= 4.5.0</title>
|
||||
|
||||
@@ -342,6 +502,26 @@
|
||||
<member><filename>tunnels</filename></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>To allow finer-grained selection of the connection-tracking
|
||||
states that are passed through blacklists (both dynamic and static), a
|
||||
BLACKLIST option was added to shorewall.conf and shorewall6.conf in
|
||||
Shorewall 4.5.13.</para>
|
||||
|
||||
<para>The BLACKLISTNEWONLY option was deprecated at that point. A
|
||||
'shorewall update' ( 'shorewall6 update' ) will replace the
|
||||
BLACKLISTNEWONLY option with the equivalent BLACKLIST option.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed
|
||||
BLACKLIST_LOG_LEVEL to be consistent with the other log-level option
|
||||
names. BLACKLIST_LOGLEVEL continues to be accepted as a synonym for
|
||||
BLACKLIST_LOG_LEVEL, but a 'shorewall update' or 'shorewall6 update'
|
||||
command will replace BLACKLIST_LOGLEVEL with BLACKLIST_LOG_LEVEL in
|
||||
the new .conf file.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user